Creating new users role - a security risk?

Description

Ok, I've noticed that when Users with roles less than an Administrator (and if allowed to Create/Edit/Delete users defined in Role Manager (plugin) are able to:

list all users (which is a bit insecure, as I would expect them to be able only to list users in levels up to their level, not above, like admins)

edit/delete all users (which is even more insecure, as this way they can simply "upgrade" any of the existing users to admins with no problem)

add new users with any roles assigned to them, even administrator role.

Could that be fixed, so that users in group with a level of 7 can't see any of the other groups above level 7, and can't create new/edit existing users and assign them any role higher than 7, for example?

Otherwise, this is a major security risk for anyone allowing any users in groups less than administrator to administer other users.

Oldest firstNewest firstThreaded

Comments only

Change History (3)

Allowing users to edit users higher than themselves does indeed not make much sense, however the user level number idea is deprecated/not used anymore. Perhaps some way to define an order on the Roles, thus allowing it to determine which roles are above other roles?

Allowing users to edit users higher than themselves does indeed not make much sense, however the user level number idea is deprecated/not used anymore. Perhaps some way to define an order on the Roles, thus allowing it to determine which roles are above other roles?

This was discussed on another ticket/mailing list, i cant remember where.

The idea which was suggested that made most sense to me was that users should not be able to create a user with a capability they themselves do not have, so if they do not have the manage_options capability, they should not be able to create a user who would have the manage_options cap. And a similar route for editing users.

It was discussed in #6014, which is identical in principal to this ticket.

To repeat myself, we shouldn't be imposing any ordering on roles:

An order would be equivalent to the user level numbers (albeit with different labels). We moved away from this.

We'd never agree on a default ordering (we leave such things to plugins if desired by the user).

Problems arise because people aren't informed of the true extent of 'edit_users' capability. I suggested that the authors of plugins who allow users to mess with capabilities should make it very clear to their users. I still don't believe it's a WordPress issue (although we could look at improving our documentation), but I'll hold off closing the other ticket for risk of upsetting too many people :-)